VDB

GCVE-110-OSM-2026-7585

GCVE-110-OSM-2026-7585
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 8, 2026
@injectivelabs/sdk-ts@1.20.21 was compromised via a GitHub contributor account — which unverified reports indicate was hijacked — that injected malicious code into the TypeScript SDK before publication to npm. The malicious version was published on July 8, 2026 at approximately 22:59 GMT+2 and received 310 confirmed downloads before a revert was published at 23:48 GMT+2. The attacker introduced fake telemetry functionality that silently exfiltrates cryptographic material — mnemonic phrases and private key hex values — whenever developers invoke key derivation functions. This gives the attacker the ability to fully regenerate victim private keys and drain associated cryptocurrency wallets. Safe versions are 1.20.20 (prior release) and 1.20.22 or later. The package has approximately 50,000 weekly downloads and 87 dependent packages on npm, 17 of which are also part of the @injectivelabs ecosystem and pulled in v1.20.21 as a dependency. **Attack vector** Malicious code injected via a GitHub contributor account (which unverified reports indicate was hijacked) prior to npm publish. Attacker created a test branch named `test-backdoor-check` during the intrusion (2026-07-08 20:06 GMT+2) before pushing the malicious release. **Malicious behavior** Fake telemetry function `trackKeyDerivation()` hooks into two key derivation methods: - `PrivateKey.fromMnemonic()` — captures full mnemonic phrases - `PrivateKey.fromHex()` — captures private key hex material Captured data is base64-encoded and exfiltrated via HTTP POST. The encoded payload is placed in the `X-Request-Id` header of outbound requests. Data captured is sufficient to fully regenerate the victim's private key and drain associated cryptocurrency wallets. **Affected files** - `/dist/cjs/accounts-Cy0p4lLW.cjs` - `/dist/esm/accounts-jQ1GSgaW.js` **Network indicators** - `hxxps://hexhole[.]injective[.]network` (GitHub issue) - `hxxps://testnet[.]archival[.]chain[.]grpc-web[.]injective[.]network` (Socket analysis) **File hashes (SHA-256)** - `103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0` — CJS build - `9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9` — ESM build **Timeline** - 2026-07-08 20:06 GMT+2 — Attacker creates `test-backdoor-check` branch via contributor account - 2026-07-08 22:59 GMT+2 — Malicious v1.20.21 published to npm - 2026-07-08 23:18 GMT+2 — Revert commit submitted by maintainers - 2026-07-08 23:48 GMT+2 — Clean version published **Dependent packages that pulled in v1.20.21** @injectivelabs/wallet-base, @injectivelabs/wallet-core, @injectivelabs/wallet-cosmos, @injectivelabs/wallet-private-key, @injectivelabs/wallet-evm, @injectivelabs/wallet-trezor, @injectivelabs/wallet-cosmostation, @injectivelabs/wallet-ledger, @injectivelabs/wallet-wallet-connect, @injectivelabs/wallet-magic, @injectivelabs/wallet-strategy, @injectivelabs/wallet-turnkey, @injectivelabs/wallet-cosmos-strategy, @injectivelabs/utils, @injectivelabs/networks, @injectivelabs/ts-types, @injectivelabs/exceptions

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@injectivelabs/sdk-ts1.20.21 (affected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›